The Agent Skills Directory

[COMMAND_EXECUTION] (HIGH): The template file code-reviewer.md contains a bash script block that uses the placeholders {BASE_SHA} and {HEAD_SHA}. Since these values are directly placed into the command string without escaping or validation, an attacker could provide a value containing shell metacharacters (e.g., ;, |, or &) to execute arbitrary commands when the agent attempts to run the git diff.
[PROMPT_INJECTION] (LOW): The skill is susceptible to indirect prompt injection. (1) Ingestion points: code-reviewer.md ingests external data through {WHAT_WAS_IMPLEMENTED}, {PLAN_OR_REQUIREMENTS}, and {DESCRIPTION}. (2) Boundary markers: No delimiters or isolation markers are used to separate these inputs from the system instructions. (3) Capability inventory: The subagent has the capability to execute shell commands and read file diffs. (4) Sanitization: No sanitization or filtering of the injected content is performed. This structure allows an attacker to hide instructions in the code or plans being reviewed to manipulate the agent's assessment.

requesting-code-review